<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Ronak,<div><br></div><div>So the domain container allows of uniqueness of user, group and project NAME to be within a domain only (i.e. so you can have a project called "Test" in two different domains, and they'll be different).  The user, group and project IDs, however, remain globally unique.  </div><div><br></div><div>By design, there is nothing in the api to prevent a user in one domain from having a role on a project in another domain.  I think that this will be an uncommon case for regular users, but might be common for classes of administrator, for example.</div><div><br></div><div>Henry</div><div><br></div><div><br><div><div>On 21 Mar 2013, at 18:01, Ronak Shah wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><font face="arial, helvetica, sans-serif">Hi,</font><div><font face="arial, helvetica, sans-serif">I was trying to make sense of the new keystone models looking at the code @ <a href="https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py">https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py</a></font></div>
<div><font face="arial, helvetica, sans-serif"><br></font></div><div style=""><font face="arial, helvetica, sans-serif">I liked the fact that we have a notion of domains as a global container for user, group and projects.</font></div>
<div style=""><font face="arial, helvetica, sans-serif">I believe since its added as a foreignkey to all these tables, we are ensuring uniqueness of user, group and projects per domain.</font></div><div style=""><font face="arial, helvetica, sans-serif"><br>
</font></div><div style=""><font face="arial, helvetica, sans-serif">On the same line, I think we are missing a check on the user-group, user-project relationship also to be unique per domain. Is this a bug or implementation? If implementation, why?</font></div>
<div style=""><font face="arial, helvetica, sans-serif"><br></font></div><div style=""><div style="line-height: 12pt; "><br class="webkit-block-placeholder"></div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;border:0px;font-size:12px;color:rgb(51,51,51)"><div class="" id="LC705" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">    <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">def</span> <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,0,0);font-weight:bold">add_user_to_group</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px">,</span> <span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">,</span> <span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">):</span></font></div>
<div class="" id="LC706" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">session</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_session</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC707" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_group</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC708" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_user</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC709" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">UserGroupMembership</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC710" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">filter_by</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC711" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">filter_by</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC712" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">rv</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">first</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC713" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">if</span> <span class="" style="margin:0px;padding:0px;border:0px">rv</span><span class="" style="margin:0px;padding:0px;border:0px">:</span></font></div>
<div class="" id="LC714" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">return</span></font></div>
<div class="" id="LC715" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace"><br></font></div><div class="" id="LC716" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">with</span> <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">begin</span><span class="" style="margin:0px;padding:0px;border:0px">():</span></font></div>
<div class="" id="LC717" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">add</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">UserGroupMembership</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">,</span></font></div>
<div class="" id="LC718" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">                                            <span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">))</span></font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">flush</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><span class="" style="margin:0px;padding:0px;border:0px"><font face="arial, helvetica, sans-serif"><br></font></span></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif">Above code adds user to group without checking for the common domain. </font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">This allow User A in Domain A associated with Group B in Domain B?</font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">Ideally User A shouldnt be doing anything in Domain B. Isnt it?</font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif"><br></font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">Thanks,</font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif">Ronak</font></div></pre><div><br class="webkit-block-placeholder"></div></div><div style=""><br></div><div style=""><br></div></div>
_______________________________________________<br>OpenStack-dev mailing list<br><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<br></blockquote></div><br></div></body></html>